问题描述:
以下配置无法上网,问题出在哪里,麻烦解决,谢谢!
#
version 7.1.064, Release 9660P53
#
sysname H3C
#
clock protocol none
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
irf auto-merge enable
undo irf link-delay
irf member 1 priority 1
#
dns server 8.8.8.8
dns server 114.114.114.114
dns server 119.29.29.29
#
password-recovery enable
#
vlan 1
#
object-group ip address DNS_add
description 电信、移动DNS
0 network host address 218.85.152.99
10 network host address 218.85.157.99
20 network host address 119.29.29.29
30 network host address 211.138.151.161
40 network host address 211.138.156.161
#
object-group ip address Internet
0 network host address 0.0.0.0
#
object-group ip address LAN
security-zone Trust
0 network subnet 202.118.228.0 255.255.255.0
#
object-group ip address white
5 network host address 120.236.178.66
10 network host address 120.197.57.130
15 network host address 120.236.178.32
20 network host address 112.91.159.2
25 network host address 27.154.226.102
30 network host address 125.64.43.69
35 network host address 183.11.233.46
36 network host address 61.140.246.84
37 network host address 113.119.31.43
38 network host address 61.140.244.47
40 network range 182.150.21.160 182.150.21.220
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface Vlan-interface1
ip address 202.118.228.100 255.255.255.0
manage http inbound
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage snmp inbound
manage ssh inbound
manage ssh outbound
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description GuideWan Interface
bandwidth 60000
ip address 117.25.1**.** 255.255.255.240
dns server 1.2.4.8
manage http outbound
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
manage snmp inbound
manage ssh outbound
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
#
interface GigabitEthernet1/0/17
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode bridge
#
interface GigabitEthernet1/0/15
port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
import interface GigabitEthernet1/0/14 vlan 1
import interface GigabitEthernet1/0/15 vlan 1
import vlan 1
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 125.*.*.*
#
performance-management
#
ssh server enable
#
arp ip-conflict log prompt
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$AVTmR2H6uKhSDlPT$vuUvzZxdQh7Aa5gAzT6xo323QXcyvt7BNzmUfIdAIFSxENvsPM9taQVp2HW3GxPLTO8G2TV5eO9rMEtv6zQFaw==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec logging negotiation enable
#
nat global-policy
rule name Trust_to_Untrust_NAT
source-zone Trust
destination-zone Untrust
action snat easy-ip
#
ike logging negotiation enable
#
ip https enable
#
blacklist global enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
traffic-policy
rule 1 name GuideAVCPolicy
action qos profile guideavcprofile1
profile name guideavcprofile1
bandwidth downstream guaranteed 60000
bandwidth downstream maximum 60000
#
security-policy ip
rule 4 name GuideSecPolicy
action pass
counting enable
source-zone Trust
destination-zone Untrust
rule 1 name deny_blacklist
disable
logging enable
counting enable
source-zone Untrust
source-zone Trust
destination-zone Trust
destination-zone Untrust
source-ip white
rule 2 name Permit_DNS
action pass
logging enable
counting enable
profile 2_IPv4
source-zone Trust
destination-zone Untrust
destination-ip DNS_add
service dns-tcp
service dns-udp
rule 3 name deny_any
disable
logging enable
counting enable
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return
排查步骤:
1. 检查接口配置:确认内外网接口是否配置IP、VLAN及物理状态(display ip interface brief)。
2. NAT配置缺失:原配置未包含ACL、NAT地址池和NAT转换规则。
3. 路由配置:需配置内外网路由或默认路由(ip route-static)。
关键补充配置:
假设内外网接口为GigabitEthernet0/0(外网)和GigabitEthernet0/1(内网)
interface GigabitEthernet0/0
ip address 202.xx.xx.xx 255.255.255.0 # 外网公网IP
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0 # 内网网段
定义内网网段ACL
acl 2000
rule 0 permit source 192.168.1.0 0.0.0.255 # 允许内网网段访问外网
配置NAT地址池(假设公网出口IP为202.xx.xx.xx)
nat address-group 1 202.xx.xx.xx 202.xx.xx.xx
配置NAT转换规则
nat outbound 2000 address-group 1 no-pat
配置默认路由(或静态路由)
ip route-static 0.0.0.0 0.0.0.0 202.xx.xx.1 # 指向上级网关
验证命令:
display nat session:查看NAT会话表。
display ip routing-table:确认路由可达性。
ping 8.8.8.8:测试外网连通性。
问题原因:原配置仅定义了DNS和IRF,未配置接口IP、ACL、NAT转换及路由,导致内网设备无法访问外网。补充上述配置后即可解决。
暂无评论
F1000-AK135 无法上网完整故障定位 & 修复
一、先列出 4 个致命问题(按优先级)
问题 1:默认路由下一跳错误(最核心)
plaintext
ip route-static 0.0.0.0 0 125.*.*.*
外网接口 G1/0/1 地址段是 117.25.1**.*/240,下一跳必须填写运营商同网段网关,你写了 125 段完全跨网段,路由根本出不去外网。
修复:把默认路由改成运营商网关,示例(替换为真实网关)
bash
运行
ip route-static 0.0.0.0 0 117.25.1**.1
问题 2:内网源网段 202.118.228.0 未在 NAT / 安全策略做限制,但无路由回包隐患
Trust 内网段 202.118.228.0/24,公网出口是 117 段,默认路由修正后才能转发。
问题 3:NAT 全局策略逻辑没问题,但需确认 EasyIP 绑定出口
你的 SNAT 配置:
plaintext
nat global-policy
rule name Trust_to_Untrust_NAT
source-zone Trust
destination-zone Untrust
action snat easy-ip
easy-ip 自动使用出接口 G1/0/1 公网 IP,这条语法本身没问题,但前提是流量能正常路由到 G1/0/1。
问题 4:安全策略存在冗余干扰,DNS 规则重复放行但不影响通断
安全策略 rule4 已经全局放行 Trust→Untrust 所有流量,rule2 DNS 放行多余,但不导致断网;
rule1 黑名单策略 disable 关闭,无影响。
问题 5:内网主机网关是否指向防火墙 Vlanif1 202.118.228.100
如果终端网关填错,流量根本到不了防火墙,也会上不了网。
二、完整修复配置(复制覆盖对应部分)
1. 修正默认路由(关键)
先删除错误路由,添加正确运营商网关
bash
运行
undo ip route-static 0.0.0.0 0 125.*.*.*
# 替换为运营商给的G1/0/1同段网关IP
ip route-static 0.0.0.0 0 117.25.1**.1
2. 校验 NAT 无需改动,现有 SNAT 规则可用
plaintext
nat global-policy
rule name Trust_to_Untrust_NAT
source-zone Trust
destination-zone Untrust
action snat easy-ip
只要流量从 Trust 进、Untrust 出,自动转换 G1/0/1 公网 IP。
3. 安全策略无需修改,rule4 已经全放通
plaintext
security-policy ip
rule 4 name GuideSecPolicy
action pass
counting enable
source-zone Trust
destination-zone Untrust
三、分段排查验证命令(定位堵点)
1. 检查路由是否可达运营商网关
bash
运行
# 测试和运营商网关连通
ping 117.25.1**.1
# 查看路由表
display ip routing-table
默认路由下一跳必须是 G1/0/1 同网段 IP。
2. 内网测试流量转发 & NAT 转换
内网 PC ping 8.8.8.8,同时防火墙执行:
bash
运行
# 查看NAT转换表,有转换条目代表SNAT生效
display nat session all
# 查看安全策略命中计数,rule4有计数说明流量过策略
display security-policy statistics rule 4
3. 接口 & 安全域核对
bash
运行
# 确认Untrust绑定外网口、Trust绑定内网Vlanif1
display zone
# 查看G1/0/1接口IP
display interface GigabitEthernet 1/0/1
四、补充次要排查点
运营商网关是否可达
若 ping 不通 117.25.1**.1:检查网线、光猫、运营商端口是否故障,接口 IP 掩码 / 地址是否填错。
终端网关配置
内网 PC 网关必须填写 202.118.228.100,DNS 填 8.8.8.8。
是否有 ACL / 流量策略拦截
流量策略仅做 QoS 带宽,无 deny 规则,不拦截上网。
EasyIP 生效前提
流量路由从 G1/0/1 转发,SNAT 才会复用该接口公网 IP;路由错误则 NAT 不会触发。
五、最简故障总结
根本原因:默认静态路由下一跳填写错误网段,内网流量无法路由到外网出口 G1/0/1,SNAT 与安全策略配置均正常,修正默认路由即可恢复上网。
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论